https://sherlock-files.ams3.digitaloceanspaces.com/profile_images/eb35050b-ee90-4736-8ebe-35b117516af8.jpg

Bigsam

Security Researcher

Contact Me

High

38

Total

Medium

43

Total

$37.99K

Total Earnings

#220 All Time

41x

Payouts

gold

1x

1st Places

silver

2x

2nd Places

bronze

2x

3rd Places

All

Sherlock

Code4rena

Cantina

CodeHawks

Feb '25

Usual Labs

Usual Labs

3,332.02 USDC • Sherlock • Bigsam

#6

Rova

Rova

0.04 USDC • 1 total finding • Sherlock • Bigsam

bronze

medium

Incorrect accounting will prevent users from readjusting their participation

Liquidity Management

Liquidity Management

590.25 usdc • 5 total findings • CodeHawks • bigsam

#14

high

Wrong refundExecutionFee in _handleReturn

high

Loss of fee refund due to premature state deletion in `PerpetualVault::_handleReturn` function

medium

Wrong index causes last depositor to always get execution fee refund if cancelFlow is called by keeper to cancel a withdrawal

medium

Functions that rely on chainlink prices cannot be queried on avalanche due to sequencer uptime check.

medium

User may withdraw more than expected if ADL event happens

Jan '25

Liquid Ron

Liquid Ron

252.63 USDC • Code4rena • Bigsam

#8

Aave DIVA Wrapper

Aave DIVA Wrapper

304.52 usdc • 1 total finding • CodeHawks • bigsam

bronze

low

Incorrect handling of aave v3 rounding in claim and redeem can temporarily DOS diva fee recipient/ Last user from redeeming/removing liquidity.

Part 2

Part 2

1,172.65 usdc • 10 total findings • CodeHawks • bigsam

#15

high

Incorrect Credit Capacity Validation in `VaultRouterBranch.redeem` Enables Locked Collateral Drainage

high

Unclaimed Rewards Loss Due to Missing Validation in `VaultRouterBranch.stake()`

medium

rebalanceVaultsAssets incorrectly accounts vaults' depositedUsdc

medium

Incorrect swap amount in CreditDelegationBranch::settleVaultsDebt improperly inflates the tokens to swap leading to DOS or/and oversettling vault debt

medium

`_fillOrder` should update the vaults before deleveraging

low

`initiateSwap` allows users to initiate swap even when the vault is paused

low

FullFill Swap will Fail due to minAmountOut wrong calculation

low

Lack of an update of the pool state will cause Initiate Swap to return an incorrect Amountout

low

Total debt used in fulfiling swap actions is wrong because we did not update the vault.

low

Users can initiate multiple swaps against the same vault/collateral causing the users to lntiate swaps that can not be fulfillable.

reserve-index-dtf

reserve-index-dtf

5,635.51 USDC • 1 total finding • Cantina • Bigsam

silver

medium

Finding not yet public.

hmx-orderbook

hmx-orderbook

127.1 USDC • 1 total finding • Cantina • Bigsam

#7

medium

Finding not yet public.

FlatMoney v2 Update

FlatMoney v2 Update

2,137.64 USDC • Sherlock • Bigsam

#5

Findings not publicly available for private contests.

Dec '24

Tally ARB Staker

Tally ARB Staker

1,023.42 USDC • Sherlock • Bigsam

#5

Alchemix Transmuter

Alchemix Transmuter

782.99 op • 3 total findings • CodeHawks • bigsam

#4

medium

Incorrect Total Assets Calculation in _harvestAndReport Leading to Share Value Manipulation and Irredeemable Assets

medium

not adding `claimable` balance to the total assets in `_harvestAndReport` can cause losses.

medium

Inflated `totalAssets` in `StrategyMainnet`, `StrategyArb`, and `StrategyOp` Contracts

SecondSwap

SecondSwap

97.7 USDC • 2 total findings • Code4rena • Bigsam

#28

high

Users can claim more that their actual allotment

medium

Missing sellable check in completePurchase will cause a user to buy a token marked as unsellable by S2ADMIN if it was listed beforehand

Oku's New Order Types Contract Contest

Oku's New Order Types Contract Contest

3.56 OP • 4 total findings • Sherlock • Bigsam

#40

high

A malicious User Can withdrawal funds twice from the Contract.

high

A malicious Actor can claim a Higher amount than they deposited by calling Create order twice in the same timestamp

high

Attacker can exploit the fill order in the oracleless contract.

high

A malicious User can Spend receivers allowance in the STOP-LIMIT contract

Nov '24

hyperlend

hyperlend

2,751.5 USDC • 2 total findings • Cantina • Bigsam

#5

high

Finding not yet public.

medium

Finding not yet public.

Oct '24

Usual V1

Usual V1

4,367.29 USDC • 2 total findings • Sherlock • Bigsam

gold

high

Miscalculation of Fee in the Withdraw function in UsualX.sol

high

Loss of Reward for recipients when RemoveOriginalAllocation is called

AXION

AXION

111.80 USDC • 1 total finding • Sherlock • Bigsam

#10

medium

Precision Loss due to the direct division of Sqrtprice by Q96

Sep '24

Liquid Staking

Liquid Staking

2,582.19 USDC • 5 total findings • CodeHawks • bigsam

#6

high

No LSTs transfer on node operator withdrawals resulting in stuck funds and loss for node operators

medium

Remove splitter will always revert if there are some rewards left on splitter contract

medium

Griefer can permanently DOS all the deposits to the `StakingPool`

medium

Vault fee receivers can conditionally block rewards distribution flow

low

Oversight while Updating the basis fee in staking pool without updating rewards strategy

Staking

Staking

1,446.03 USDC • CodeHawks • bigsam

#14

Aug '24

The Wildcat Protocol

The Wildcat Protocol

375.4 USDC • 1 total finding • Code4rena • Bigsam

#12

medium

Inconsistency across multiple repaying functions causing lender to pay extra fees.

ZeroLend One

ZeroLend One

1,252.37 USDC • 7 total findings • Sherlock • Bigsam

#10

high

when The user Tries to liquidate the max debt a mistake was made to return Debt Shares instead of Amount as normally implemented by aave in the Liquidation Calculations this will lead to a lot of financial miscalculation.

high

Withdrawing Max colllateral makes the asset Collaterals temporarily unusable because Get Supply balance should return the Total asset but instead it returns Supplyshares + asset value.

high

Contract fails to deduct the liquidation fee from the User but instead withdraws this directly from the pool.

medium

DOS to withdrawal Function when the user (whales) tries to withdraw the max liquidity available

medium

CuratedVault Deposit function will revert in some cases even the Main POOL is not frozen and Supply cap is not reached because of an Incorrect Deposit Calculation.

medium

After a User withdraws The interest Rate is not updated accordingly leading to the next user using an inflated index during next deposit before the rate is normalized again

medium

Liquidation fails to update the interest Rate when liquidation funds are sent to the treasury thus the next user uses an inflated index

Sentiment V2

Sentiment V2

129.55 USDC • 3 total findings • Sherlock • Bigsam

#27

medium

Setting Liquidation fee to 20-30% will break the protocol's liquidation function and can only work if the contract RiskModule is forked updated and redeployed

medium

Superpool has a Pause Function But can never be paused.

medium

Incorrect Asset Check in SuperPool whenever we want to Deposit into Any POOL Contract.

Tadle

Tadle

29.69 USDC • 4 total findings • CodeHawks • bigsam

#79

high

TokenManager - Unlimited withdraw

high

Taker of bid offer will loss assets without any benefit if he calls the DeliveryPlace::settleAskMaker() for partial settlement.

high

Formulaic Error Rounds Down Causing Total Loss Of Funds For Bid Takers During Abort

high

The `DeliveryPlace::settleAskTaker()` function mistakenly uses `makerInfo.tokenAddress` to update the `TokenBalanceType.PointToken` in the `userTokenBalanceMap` mapping, leading to a critical error.

Jul '24

LoopFi

LoopFi

254.64 USDC • 5 total findings • Code4rena • Bigsam

#28

high

Availability of deposit invariant can be bypassed

high

Liquidation doesn't account for penalty when calculating collateral to give, allowing users to profit by borrowing and self-liquidating

high

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

Exactly Protocol Update - Staking Contract

Exactly Protocol Update - Staking Contract

52.40 USDC • 1 total finding • Sherlock • Bigsam

#7

medium

All the rewards for a particular ERC20 Compliant token available will not be properly distributed leading to a Permanent loss of yield for stakers due to precision loss.

Zaros Part 1

Zaros Part 1

221.61 USDC • 6 total findings • CodeHawks • bigsam

#28

high

`SettlementBranch._fillOrder` does not guarantee the collateral of a position is enough to pay the future liquidation fee.

high

Market Disruption and Financial Loss Post-Liquidation

medium

A malicious User can DOS all offchain orders making them unexecutable and leaving the protocol in an insolvent state. Also all offchain Trades can also be DOSed for honest parties that do not meet the fillorder requirements (no try and catch)

low

Offchain orders are not cancelled after the account has been liquidated

low

Trading accounts can exceed the maximum number of allowed open positions.

low

Settlement fills liquidatable Market Orders

Union Finance Update #2

Union Finance Update #2

2,612.69 USDC • 4 total findings • Sherlock • Bigsam

silver

high

Wrong calculation of Accure Reward in Comptroller.sol

high

Repaying a Loan with Permit in UErc20.sol Wrongly calculates the interest to be paid this Reduce/Increase profits for the protocol as interest calculations are not performed correctly.

high

Maxclaimable token by msg.sender(user) in Vouch Faucet can be bypassed due to insufficient check.

medium

Users can borrow below the minBorrow limit because of a bypass caused by remainder being greater than 0.

MakerDAO Endgame

MakerDAO Endgame

3,254.19 USDC • Sherlock • Bigsam

#30

Jun '24

Vultisig

Vultisig

221.08 USDC • 2 total findings • Code4rena • Bigsam

#15

high

Vultisig whitelisting can be bypassed by anyone

high

Most users won't be able to claim their share of Uniswap fees

Size

Size

6.22 USDC • 2 total findings • Code4rena • Bigsam

#57

high

Users won't liquidate positions because the logic used to calculate the liquidator's profit is incorrect

medium

Fragmentation fee is not taken if user compensates with newly created position

May '24

Predy

Predy

0.17 USDC • 1 total finding • Code4rena • Bigsam

#42

medium

Chainlink's `latestRoundData` might return stale or incorrect results

Munchables

Munchables

0.02 USDC • 3 total findings • Code4rena • Bigsam

#15

high

Malicious User can call `lockOnBehalf` repeatedly extend a users `unlockTime`, removing their ability to withdraw previously locked tokens

high

Invalid validation allows users to unlock early

medium

Missing disapproval check in `LockManager.sol::approveUSDPrice` allows simultaneous approval and disapproval of a price proposal

LoopFi

LoopFi

71.11 USDC • 5 total findings • Code4rena • Bigsam

#8

high

Availability of deposit invariant can be bypassed

high

Liquidation doesn't account for penalty when calculating collateral to give, allowing users to profit by borrowing and self-liquidating

high

`Flashlender.sol#flashLoan()` should use `mintProfit()` to mint fees. The current implemetation may lead to locked up WETH in PoolV3.

medium

WhenNotPaused modifier in the CDPVault can be bypassed by users

medium

`PendleLPOracle::_fetchAndValidate` uses Chainlink's deprecated `answeredInRound`

Apr '24

Renzo

Renzo

18.2 USDC • 1 total finding • Code4rena • Bigsam

#41

medium

Pending withdrawals prevent safe removal of collateral assets

NOYA

NOYA

130.67 USDC + NOYA stars • 3 total findings • Code4rena • Bigsam

#47

high

`AccountingManager::resetMiddle` will not behave as expected

high

It is possible to open insolvent position is Silo connector, due to missing check in borrow function

medium

`performanceFeeReceiver` cannot mint any performance fee shares even if TVL is dropped by only a very tiny amount

TITLES Publishing Protocol

TITLES Publishing Protocol

13.94 USDC • 1 total finding • Sherlock • Bigsam

#42

medium

Vulnerability Report: Denial-of-Service Attack Risk Due to Inadequate Signature Verification in Contract

DYAD

DYAD

17.29 USDC • 1 total finding • Code4rena • Bigsam

#84

medium

No incentive to liquidate when CR <= 1 as asset received < dyad burned

Mar '24

Ondo Finance

Ondo Finance

2,243.37 USDC • 1 total finding • Code4rena • Bigsam

#7

medium

Inadequate Handling of BUIDL Redemption Limit in OUSG Instant Manager

DittoETH

DittoETH

60.02 USDC • 1 total finding • Code4rena • Bigsam

#23

medium

oracleCircuitBreaker: Not checking if price information of asset is stale

Smart Wallet

Smart Wallet

36.34 USDC • Code4rena • Bigsam

#14

Abracadabra Mimswap

Abracadabra Mimswap

224.16 USDC • 1 total finding • Code4rena • Bigsam

#16

medium

Permanent loss of yield for stakers in reward pools due to precision loss.

Revert Lend

Revert Lend

42.78 USDC • Code4rena • Bigsam

#59